On 13 September 2017 at 19:54, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > > On Sep 13, 2017, at 4:10 AM, Dominic Raferd <domi...@timedicer.co.uk> > wrote: > > > > As Postfix SMTP server does not support SNI I think there is no point > using > > -servername option above, so the above can be shortened to: > > > > echo | > > sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp 2>/dev/null > | > > openssl x509 -noout -checkend 259200 > > There definitely good reason to avoid "sudo", which is unnecessary here. > As for SNI, indeed not needed if the server being tested is known to be > Postfix. > Thanks for the correction and confirmation > > > I'm still unclear whether the test is against the certificate data that > > is held within postfix or that is held within the SASL application > > (dovecot or cyrus). > > Now you betray some confusion, SASL is NOT TLS and does not exchange > certificates with the SASL client. The application protocol that > supports SASL may run over TLS, in which case the server and sometimes > also the client might present X.509 certificates, but SASL could not > possibly do that absent a "TLS" mechanism for SASL that would use > client certificates for authentication and then TLS as the SASL > "security layer". AFAIK no such mechanism exists, and Postfix has no > support for SASL "security layers" in any case. Indeed I was confused! So I now understand that the certificate references in my /etc/dovecot/conf.d/10-ssl.conf: ssl_cert = </etc/letsencrypt/live/mydomain.tld/fullchain.pem ssl_key = </etc/letsencrypt/live/mydomain.tld/privkey.pem are irrelevant for SMTP/SASL through Postfix, and are only relevant if the server is being accessed for POP3 or IMAP. From what I read at https://wiki.dovecot.org/SSL/DovecotConfiguration it seems that for Dovecot (unlike Postfix) a manual reload is needed to get it to re-read these certificates when they have changed. (All off-topic for Postfix, of course, sorry...)
